Privacy Policy
StretchIT (the "App") · Publisher: Dannac Digital · ABN: 23 690 080 660 · Sydney, NSW, Australia · Contact: [email protected] · Effective February 21, 2026
Overview
StretchIT is an interval timer app for iOS and Android that helps you create, schedule, and complete timed routines. This Privacy Policy explains what information the App collects, how it is used, and what rights you have.
We designed the App with privacy in mind. Most of your data stays on your device and is never transmitted. Where we do collect data remotely, we use anonymous identifiers — we never ask for your name, email address, or account credentials within the App.
Data Summary
| Data Type | Stored Where | Sent Externally | Purpose |
|---|---|---|---|
| App settings (sounds, colors, volume, language, haptic mode) | On device only | No | Personalise your experience |
| Workout presets | On device only | User-initiated only (sharing via deep link, Pro feature) | Save your routines |
| Session history | On device only | No | Track your completed workouts |
| Scheduled sessions | On device only | No | Remind you of upcoming workouts |
| Quickstart values, user tags, onboarding state, app open count | On device only | No | App functionality |
| Anonymous usage analytics | PostHog servers (US) | Yes | Understand how the App is used and fix bugs |
| Crash and error reports | PostHog servers (US) | Yes | Diagnose and fix issues |
| Subscription status and purchase data | RevenueCat servers (US) | Yes | Manage subscriptions and restore purchases |
| Advertising data (free users only) | Google AdMob servers | Yes | Display non-personalised banner, interstitial, and app-open ads |
| Heart rate readings (BLE) | Temporarily in memory only | No* | Display real-time BPM during sessions |
| Heart rate device name | On device; PostHog (US) | Yes | Auto-reconnect; analytics event |
| Local notification identifiers | On device only | No | Schedule local reminders |
* Heart rate readings are never stored persistently or transmitted. The paired device name is sent to PostHog as part of a connection event and is also stored locally for reconnection.
1. Information We Collect
1.1 Information Stored Locally on Your Device
The following data is saved using on-device storage and is not automatically transmitted to any server:
- App settings — sound preferences, colour themes, volume levels, language, haptic feedback mode, and similar configuration choices.
- Workout presets — name, duration, number of sets, phase configuration, assigned sounds, colours, notes, tags, favourite status, and creation/modification timestamps.
- Session history — the name of the preset used, completion timestamp, total duration, number of sets, and work/rest times.
- Scheduled sessions — the linked preset, scheduled date, recurrence pattern, and local notification identifiers.
- Quickstart values — sets, work seconds, and rest seconds for the quick-start feature.
- User tags — custom labels you create to organise your presets.
- Guidance and onboarding state — whether you have completed onboarding flows or dismissed guidance prompts.
- App open count — the number of times you have opened the App, used to determine when advertisements begin appearing (free tier only).
Preset sharing (Pro feature): If you choose to share a preset, the App encodes the preset data into a shareable link that you can send to others via messaging apps, email, or other channels. This sharing is entirely user-initiated — the App does not transmit preset data automatically. The encoded data includes the preset's configuration (name, durations, phases, sounds, etc.) but does not include any personal identifiers.
You can delete this data at any time by clearing the App's data in your device settings or by uninstalling the App.
1.2 Analytics Data (PostHog)
We use PostHog to collect anonymous usage analytics. PostHog data is sent to servers located in the United States.
What we collect:
- Screen views — which screens you visit (captured automatically).
- App lifecycle events — when you open the App, move it to the background, or return to it.
- Custom events — session starts, completions, and abandons; preset creation, editing, and deletion; schedule changes; settings changes; purchase-related events; ad interactions; heart rate device connections; and error or crash reports.
- Person properties — your language setting, haptic mode, and whether you have connected a heart rate device.
- Crash data — error message, error type, stack trace, and component stack.
- Anonymous device identifier — an auto-generated UUID stored on your device. This is not linked to any login, email address, or other personally identifiable information.
What we do NOT collect through analytics:
- Your name, email address, or any account credentials.
- The contents of your presets, session history, or schedules.
- Precise location data.
Note on heart rate device names: When you connect a Bluetooth heart rate monitor, the device name is included in the analytics event. If your heart rate device name contains personally identifiable information (such as your name), that information will be sent to PostHog. You can rename your Bluetooth device in its manufacturer's app to avoid this.
PostHog's privacy policy: https://posthog.com/privacy
1.3 Subscription Data (RevenueCat)
We use RevenueCat to manage in-app subscriptions and purchases. RevenueCat servers are located in the United States.
What RevenueCat processes:
- Subscription status (trial, active, expired, or none).
- Plan type (monthly or yearly), expiration date, and renewal status.
- Billing issue detection and cancellation detection.
- Original purchase date and product identifiers.
- An anonymous user identifier (generated by RevenueCat, not linked to any personal account).
RevenueCat does not receive your name, email, or payment card details. Payment processing is handled entirely by Apple (App Store) or Google (Google Play), and we never see or store your payment information.
RevenueCat's privacy policy: https://www.revenuecat.com/privacy
1.4 Advertising Data (Google AdMob)
If you use the free version of the App, Google AdMob displays advertisements starting from your sixth app open (that is, after you have opened the App five times). The App explicitly requests non-personalised ads only.
Banner advertisements appear on the Home screen, Collection screen, Calendar screen, and Timer completion screen. Interstitial advertisements (full-screen) and app-open advertisements (displayed when returning to the App) may appear after your tenth app open.
What AdMob may collect:
- Ad impressions, clicks, and load failures (for banner, interstitial, and app-open ad formats).
- Device advertising identifiers (IDFA on iOS, Google Advertising ID on Android).
- IP address (used for country-level location only).
Because we request non-personalised ads, AdMob does not build an interest profile based on your activity in this App. If you subscribe to the Pro plan, no advertisements of any type are shown and no AdMob data is collected.
Google AdMob's privacy policy: https://policies.google.com/privacy
1.5 Heart Rate Data (Bluetooth)
The App can connect to Bluetooth Low Energy (BLE) heart rate monitors that advertise the standard Heart Rate Service.
- Real-time heart rate readings (BPM) are received from your device during active timer sessions. Readings are validated to be within the 20–250 BPM range.
- Heart rate readings are displayed on-screen in real time only. They are never stored persistently on your device and never transmitted to any server.
- Your paired device's identifier and name are stored locally on your device so the App can automatically reconnect in future sessions.
- As noted in Section 1.2, the heart rate device name is sent to PostHog as part of a device-connection analytics event.
When your timer session ends or you disconnect the device, heart rate data is discarded from memory.
1.6 Notifications
The App uses local notifications only — no push notification server is involved.
- Scheduled session reminders are triggered locally on your device at the times you configure.
- Trial expiry reminders may be scheduled locally (two days before your trial ends).
- Local notification identifiers are stored on your device only and are never sent to any external server.
1.7 Device Permissions
The App requests the following permissions:
| Permission | Platform | Purpose |
|---|---|---|
| Location (coarse and fine) | Android 6–11 only | Required by Android to perform BLE (Bluetooth Low Energy) scanning on older OS versions. Not used to determine your geographic location. Automatically excluded on Android 12 and above. |
| Bluetooth / Bluetooth Admin | Android 11 and below | Bluetooth heart rate monitor support on older OS versions |
| Bluetooth Scan (neverForLocation) | Android 12+ | Discover nearby heart rate monitors. Declared with neverForLocation — location data is never accessed through this permission. |
| Bluetooth Connect | Android 12+ | Connect to your heart rate monitor |
| Foreground Service | Android | Keep the timer running when the App is in the background |
| Internet | Android | Communicate with analytics, subscription, and advertising services over encrypted connections |
| Modify Audio Settings | Android | Adjust audio output for text-to-speech voice guidance during sessions |
| Post Notifications | Android | Display scheduled session reminders and trial reminders |
| Vibrate | Android | Provide haptic feedback during timer phases and interactions |
| Wake Lock | Android | Prevent the device from sleeping during an active session |
| Bluetooth | iOS (runtime) | Discover and connect to heart rate monitors |
| Notifications | iOS (runtime) | Display local reminders |
The App also declares <uses-feature android:name="android.hardware.bluetooth_le" android:required="false"/>, meaning Bluetooth Low Energy hardware is optional — the App can be installed and used on devices without BLE support.
The App does not request or use permissions for your camera, contacts, calendar, microphone, biometrics, or file storage.
2. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide core App functionality | Local settings, presets, history, schedules | Contract performance |
| Display real-time heart rate | BLE heart rate readings | Your consent (Bluetooth permission) |
| Understand usage patterns and improve the App | PostHog analytics events | Legitimate interest |
| Diagnose crashes and errors | Crash reports via PostHog | Legitimate interest |
| Manage your subscription | RevenueCat subscription data | Contract performance |
| Display advertisements (free tier) | AdMob advertising data | Legitimate interest / Your consent (where required by law) |
| Send local reminders | On-device notification data | Your consent (notification permission) |
| Auto-reconnect to heart rate device | Locally stored device name and ID | Legitimate interest |
We do not sell your personal information. We do not use your data for automated decision-making or profiling.
3. How We Share Your Information
We share data only with the following service providers, solely for the purposes described above:
| Provider | Data Shared | Server Location | Purpose |
|---|---|---|---|
| PostHog | Anonymous analytics events, crash data, anonymous device ID, HR device name | United States | Usage analytics and crash reporting |
| RevenueCat | Anonymous subscription and purchase data | United States | Subscription management |
| Google AdMob | Ad interaction data, device advertising IDs, IP address | United States / Global | Non-personalised ad delivery (free tier only) |
| Apple / Google | Payment and subscription data (handled by platform) | United States / Global | Payment processing |
We may also disclose information if required by law, regulation, legal process, or enforceable governmental request.
4. International Data Transfers
Dannac Digital is based in Australia. If you are located outside Australia, your analytics, subscription, and advertising data may be transferred to servers in the United States (PostHog, RevenueCat, Google). These transfers are necessary to provide the App's functionality.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland: transfers to the United States are carried out under Standard Contractual Clauses (SCCs) or equivalent mechanisms maintained by our service providers. You can review each provider's transfer mechanisms in their respective privacy policies linked above.
For users in Australia: our handling of personal information complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). While most of your data remains on your device, the analytics and subscription data described above may be disclosed to overseas recipients in the United States.
5. Data Retention
- On-device data (settings, presets, history, schedules): retained until you clear the App's data or uninstall the App. We have no access to this data.
- PostHog analytics: retained according to PostHog's data retention policies. Because records are linked only to an anonymous UUID, we cannot identify individual users to delete specific records. You can reset your anonymous ID by clearing the App's data or reinstalling.
- RevenueCat subscription data: retained as long as necessary to manage your subscription and comply with financial record-keeping requirements.
- AdMob data: retained according to Google's data retention policies.
- Heart rate readings: discarded from device memory immediately when a timer session ends or the heart rate device disconnects. Never stored persistently.
6. Your Privacy Rights
Depending on where you live, you may have some or all of the following rights regarding your personal information. Because the App does not require an account and uses anonymous identifiers, some of these rights may be limited in practice — we may not be able to identify your specific data.
6.1 Rights Under the EU General Data Protection Regulation (GDPR)
If you are in the European Economic Area, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Restriction — request that we limit processing of your data.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests, including analytics.
- Withdraw consent — where processing is based on consent (e.g., Bluetooth, notifications), you can withdraw at any time through your device settings.
To exercise these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.
6.2 Rights Under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose.
- Delete your personal information.
- Opt out of the sale or sharing of personal information — we do not sell or share your personal information as defined by the CCPA/CPRA.
- Non-discrimination — we will not discriminate against you for exercising your privacy rights.
Categories of personal information collected (as defined by the CCPA):
- Identifiers: anonymous device UUID, device advertising identifiers (IDFA / Google Advertising ID).
- Internet or electronic network activity: screen views, app lifecycle events, custom usage events, ad interactions.
- Commercial information: subscription status and purchase history (via RevenueCat and Apple/Google).
Categories sold or shared: None. We do not sell or share personal information.
To exercise your rights, contact us at [email protected].
6.3 Rights Under US State Privacy Laws
Residents of states with comprehensive privacy laws — including Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, among others — generally have rights similar to those described in Sections 6.1 and 6.2, including the rights to access, delete, and opt out of certain processing. Contact us at [email protected] to exercise these rights.
6.4 Washington My Health My Data Act
Heart rate data is considered "consumer health data" under Washington's My Health My Data Act. The App:
- Collects heart rate data only with your affirmative consent (you must grant Bluetooth permission and actively initiate a connection to your heart rate device).
- Does not store heart rate data persistently — readings exist in device memory only during active timer sessions and are discarded immediately afterward.
- Does not sell, share, or transmit heart rate readings to any third party or server.
- Stores the heart rate device name locally for auto-reconnection. The device name is also sent to PostHog as part of an analytics event (see Section 1.2).
If you are a Washington state resident, you have the right to:
- Confirm whether we are collecting or sharing your consumer health data.
- Request deletion of your consumer health data.
- Withdraw consent for collection of your consumer health data by revoking Bluetooth permission in your device settings.
To exercise these rights, contact us at [email protected].
6.5 Rights Under the Australian Privacy Act
If you are in Australia, the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) give you the right to:
- Access personal information we hold about you.
- Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
- Complain about a breach of the APPs.
To make a request or complaint, contact us at [email protected]. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.
7. Data Security
We take reasonable measures to protect your information:
- The majority of your data is stored locally on your device and never transmitted.
- All data transmitted to PostHog, RevenueCat, and Google AdMob is sent over encrypted connections (HTTPS/TLS).
- The App uses anonymous identifiers rather than personal accounts, minimising the impact of any potential data breach.
- We do not store payment information — all payment processing is handled by Apple and Google.
No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
7.1 Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay through available means (such as an in-app notice or update to this Privacy Policy). Where required by applicable law (including the Australian Privacy Act, GDPR, or US state breach notification laws), we will also notify the relevant supervisory authority within the required timeframe.
8. Children's Privacy
The App is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will take steps to delete such information.
9. Third-Party Links and Services
The App may contain links to third-party websites or services (for example, links to subscription management in the App Store or Google Play). This Privacy Policy does not apply to those third-party services. We encourage you to review their privacy policies separately.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this document and notify you through an in-app notice or other reasonable means. Your continued use of the App after any changes constitutes acceptance of the updated Privacy Policy.
11. Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a complaint, please contact us:
We aim to respond to all enquiries within 30 days.
12. Summary of Third-Party Service Privacy Policies
- PostHog: https://posthog.com/privacy
- RevenueCat: https://www.revenuecat.com/privacy
- Google AdMob / Google Privacy: https://policies.google.com/privacy
- Apple Privacy: https://www.apple.com/legal/privacy
- Google Play Privacy: https://policies.google.com/privacy